With the advent of the mobile enterprise, the need for a dynamic and flexible security framework to balance risk and trust becomes urgent. This need has led to the rapid expansion and growth of enterprise security technologies for mobility. In this article, the two most used mobile ecosystem management tools (Mobile Device Management and Mobile Application Management) are analyzed from a security point of view. In addition, a protection mechanism which strengthens the security aspect of the Mobile Device Management application is proposed. It fixes the Mobile Device Management security vulnerabilities and reduces the impact of attacks. On the basis of the characteristics of proposed approach activities, a functional diagram is presented.
RIF’20: The 9th Seminary of Computer Science Research at Feminine, March 7th, 2020, Constantine 2-Abdelhamid Mehri University, Algeria
In this paper, we have proposed a securing approach which can strengthen the MAM applications. The goal is to enable the company to take advantage of the business benefits of the mobile revolution, while protecting it, as well as its employees and customers, from potential risks. The main idea is to introduce a control mechanism at the MAM application level which makes a reaction requesting the intervention of administrators in the enterprise. It also applies a strategy for controlling access to resources and system services separately.
The remaining of this paper is organized as follows. Section 2 reviews the current state of the mobile enterprise and describes the risks associated with the most popular mobile device platforms and technologies. Then, it outlines the ways in which many of these risks can be mitigated. Section 3 and 4 specifies the main management tools used by mobile enterprise. Section 5 describes the proposed security mechanism which strengthens the security aspect of the applications. Section 6 includes a discussion of the direction of research taken by this work. Finally, some conclusions and research lines are presented.
A mobile enterprise is a company whose employees are nomads and who work on a collaborative
information system. This system allows employees in real time to consult, verify, or record
information in the database of the mobile enterprise (mobile ecosystem). [
The emergence of the concept of mobile enterprise has been generated by a number of needs such as: ● Employees not required to be present in the same workplace ● Real-time access to up-to-date information (availability) ● Simple use ● Rapid deployment of information.
1. End user 2. Mobile device (hardware, operating system and applications) 3. Company (servers, applications and services, and data sources); 4. Network path (connects the mobile device to the enterprise via, for example, local WiFi or cellular communications, network operators, Internet, routers, etc.).
To achieve sufficient security for the entire mobile enterprise, it is necessary to secure these four parts. Each part suffers from a specific set of vulnerabilities and therefore requires a security solution that meets its particular needs.
Mobility certainly has a positive influence on the turnover (gain and reduction of costs) of a company. However, it also brings a lot of disadvantages, particularly if it is not enough taken care of. Threats to the mobile ecosystem can indeed increase and affect the security of users and organizations.
Several solutions have been created to protect a mobile enterprise against these threats, including mobile application management (MAM), mobile device management (MDM), enterprise mobility management (EMM), mobile content management (MCM), Unified Endpoint Management (UEM), and Mobile Identity Management IAM.
As an architect, you are responsible for determining which approach is best for the environment you
manage. Which approach (MDM, MAM, EMM, UEM, IAM, or MCM) is right for your environment?
Let's go through each one [
Monitors, manages, and secures mobile devices that are deployed across different cellular carriers. The process installs an application on the device to give access to and control of the device. 3.2.
Provides control at the application level that would enable administrators to manage and secure app
data [
EMM is a global approach for devices and platforms that centralize the management, configuration, and security of all mobile devices managed by an enterprise.
EMM goes beyond traditional device management to include the management and configuration of enterprise applications and content. Thus, a complete EMM strategy also aims to help employees be more productive by providing them with the tools they need to do their work on mobile. EMM Combines MDM and MAM. This leads to increased complexity and costs 3.4.
UEM provides enterprise management of endpoints, including mobile devices, printers, laptops, and desktops, IoT devices from a single management platform.
The disadvantage of this approach is that it is expensive with intense management. 3.5.
(Sometimes called MIM for Mobile Information Management) supports and controls access to content from mobile devices. It uses either a secure container or content push (In both cases, device and app are secondary.); to ensure that only approved apps can access and share company data. 3.6.
Which is the set of processes implemented by a company for managing the access authorization of its users (employees, partners or customers) to its information system or its applications. Thus, identity and access management is concerned with, for example, controlling how users acquire an identity, how to protect that identity, and the technologies that enable that protection. 4.
As mentioned above, a lot of mobile ecosystem management solutions for the mobile enterprise were introduced (MDM, MAM, EMM, MCM, UEM and IAM). The implementation of these solutions can produce certain problems to which the company must be very vigilant. In this section, we analyze in particular the two most used mobile ecosystem management tools (MDM and MAM). 4.1.
The MDM is an application that manages the deployment, securing, monitoring, integration and
administration of personal or professional mobile devices, such as smart phones or tablets that have
access to critical data [
Its objective is to harmonize and secure the company's fleet by ensuring that all employees have up-to-date programs and that their devices are properly secured. The program also facilitates the spread of security patches or new software for all employees (Figure 2).
The MDM manages various sizes and types of fleets ranging from ten identical terminals, to thousands of terminals all different and using different operating systems.
The main security features of the MDM application are [
The MAMtechnologies apply management and policy controls to individual applications rather
than the entire device. MAM allows IT administrators to install, update, delete, audit and monitor
enterprise applications on mobile devices [
MAM solutions generally offer a custom application store that allows to control and deliver internally developed and third-party applications (Figure 3).
MAM represents all the software and services responsible for supplying and controlling access to mobile applications. These applications are used in professional environments on smartphones and tablets provided by the enterprise.
The main security functionalities of the MAM application are [
With MAM, employees can gather their personal and professional information in a smartphone capable of retaining independent operational identities. The idea is that users can install Facebook and other apps of personal interest in the personal partition, but that work-related apps and data are stored in the working partition.
Ina security model centered on the MAM application, an application establishes its own autonomous encrypted communication channel at the application level or in the closed environment where the application exists, without depending on the operating system or the device. This provides a tampon between personal space and corporate space. The separation of enterprise applications from personal space fulfills several key functions [16]: • It preserves the user experience without modifying the device or controlling personal applications; • It provides the necessary level of access control for enterprise applications with the ability to exceed current standards; • It reduces the company's risk posture by eliminating the use of endpoints for data entry on the approved network. 4.3.
Each mentioned security method has its strengths and limitations in terms of protecting internal data reachable from mobile devices (Table2). A robust security analysis should include a security strategy, which should significantly reduce the security risks associated with BYOD. Table 2 presents the main differences between the two most used mobile ecosystem management tools: MDM and MAM.
The next section presents the proposed control mechanism. It strengthens the security of MAM and ensures a perpetual update in order to counter any new attack in a short time. In addition, it relies on detections from other applications which themselves benefit from continuous updates.
In this article, we propose to introduce a control mechanism at the MAM application level which autonomously applies a strategy for controlling access to resources and system services and generates a reaction requesting the intervention of administrators in the enterprise.
The basic idea of this approach is to provide MAM with the control faculty that will allow it to make decisions as to whether or not to authorize an application that requests access to a system service. This control is based on MAM's ability to intercept interactions between applications and a few system processes to retrieve detailed information on applications requests necessary for finegrained access control Mobile Device Management (MDM) Mobile Application Management (MAM) • Management, security and control of • Management and security only of applications the mobile device (MDM touches specially designed by the enterprise (MAM targets terminals). applications). • Remote deletion of all content from the • Deletion only of professional data. device in the event of theft or loss.
Focuses on security: Focuses on making available: • The application of defined password • Creation of a catalog of safe and approved policies; applications to download to give users the • Encryption of data on the device; opportunity to do more effective work on their • Control of data sharing options at the devices; device level, for example, wifi, camera, • Management of multi-user profiles for the same Bluetooth and 3G; application; • Blocking, remote erasure, location of • Change the configuration of the application without the device, ...; the need to update the version. • Control of mobile devices such as printers and scanners. • Managing and securing applications; • Prevention of data loss; • Distribution of application based on the configuration; • Management of a whitelist and a blacklist of the device, the user and the applications; • Inventory management of applications and peripherals. 5.1.
The role of the proposed security mechanism is to quickly detect an attack to counter it as quickly as possible, to be able to react in real time to an intrusion attempt and to improve the security of the MAM by local processing (at the mobile level) alerts. The help of the company security administrator will only be required in the event of ambiguity (the control mechanism could not confirm or deny the attack).
We assume the existence, at the mobile device level, of other intrusion detection tools such as HIDS (Host Based Intrusion Detection System). The security information collected by these different tools will be used by the proposed security mechanism to improve detection.
The proposed mechanism uses three components present on the mobile (Figure 4): • A collector component; • An analyzer component; • An executor component.
The collector component intercepts alerts from other existing control applications at the mobile level, such as the intrusion detection system, as well as suspicious activities detected by the MAM application itself and transfers them to the analyzer component (Figure 5).
The analyzer component analyzes the various alerts received from the collector component (each analyzer component has a blacklist (constantly updated by the mobile company).
If the component confirms the presence of an attack, it sends a notification to the executing component which will take the appropriate measures.
If the analyzer component suspects an attack, it requests the executing component to send a warning alert to ask the intervention of the security administration of the mobile enterprise in order to analyze this alert in turn (Figure 6). If the attack is confirmed, the operation to update the black lists present on the mobiles is launched.
The role of the component executor is to execute the tasks according to the notification of the analyzer component. These tasks may include restoring corrupted files, prohibiting network connection, etc. (Figure 7).
When a new vulnerability is discovered, the security controls of the mobile enterprise determine which assets are vulnerable. Additionally, each component has local responsibilities to protect the mobile device from malware attacks, and then communicate the details of the attack to the mobile company's security department to build an up-to-date Black List Enterprise (BLE) and then distribute it to corporate resources to protect all other devices. In this way, the network defenses are constantly refined to protect each user and the entire computer system (Figure 8).
Here we describe the main activities of our approach illustrated by a sequence diagram(Figure9) where the operations are: Read_packets(): read packets; Verify (BLE): check if the attack exists in the BLE; Trait_alert(): process the alert based on the notification from the analyzer component; Update_ BLE ( ): update the Blacklist enterprise.
Alert: send alert detected; Request_ analysis: ask the analyzer component to analyze detected alerts; Send_alert: send message about the detected attack; Request_Update_BLE: ask the analyzer component to update the enterprise blacklist.
The mobile enterprise presents many IT security challenges as the threat environment is constantly changing. Even if we keep the current threats and vulnerabilities, we must remain aware of emerging technologies and potential vulnerabilities that result. Business IT staff will need to pay attention to the threatening surface of mobile platforms and help users understand how to defend their devices. It's about thinking in specific terms: who needs access to the enterprise's applications and services and how to integrate it into the activation of single sign-on? Which users in which roles should be allowed to use mobile devices to access the network and which applications should be allowed to access? What should and shouldn't these users be allowed to do? What types of devices and operating system versions should be allowed? How will managers measure the activities of mobile businesses to measure their success? Does a security policy have to duplicate the location and the type of device of the user? To get a head start on the mobile enterprise, those responsible for intelligent enterprise management, IT and security will need to answer all these questions.
Unfortunately, existing security controls suffer from certain limitations and do not meet the requirements of mobile companies. But after studying the two most used applications "MDM and MAM", we noticed that the only weak point of MAM compared to MDM concerns only the security aspect, which leads us to believe that it would be wise to provide MAM with specific security features adapted to a given company and to each of the users of its information system.
Therefore, we have proposed the MAM+ approach which is a mobile-level component that seamlessly enriches and strengthens any MAM application with new analytics and security capabilities which are not present in the original applications source code. The proposed approach permits to ensure that we will always stay abreast of all the threats that are happening and this is done using BLE database that it is always updated. It allows the company to take advantage of the benefits of the mobile revolution, while protecting all users from possible risks.
Our proposed approach offers several advantages: • It significantly simplifies the task of controlling access to corporate data at the mobile level; • It reduces network traffic (the majority of checks are at the local level); • It improves the detection rate; • It makes it possible to benefit from the advantages of existing applications while avoiding its disadvantages.
Mobile enterprises need a tailor-made strategy to guarantee security, but unfortunately the current range of security tools is not designed to meet the security requirements of mobile enterprises. The dilemma of the mobile enterprise mobility strategy described above is serious. However, these new technologies and new security concerns create an opportunity for future research in several areas. How aware are mobile businesses of the new threats? What are the costs and implications for companies of investing in new technological security solutions, such as MDM or MAM? What other security solutions could be more effective at lower cost? What IT capabilities should mobile enterprise acquire to stay in the mobility sector?
In this article, we have proposed a control mechanism which strengthens the security aspect of the MAM application. The objective of this solution is to apply a dynamic control capable of quickly detecting and countering the various threats which are constantly increasing (responding in real time to an intrusion attempt).It decreases the network traffic and progresses the detection rate.
Our work opens the way to several research perspectives because we envisage improving our approach by integrating other measures for detection of a wider range of attacks with an improvement in development costs, speed and performance.
[1]D.Bailey, The difficulty of securing your mobile workforce, Computer Fraud & Security journal, Volume 14, Num 9, September 2014, pp. 19-20. doi: 10.1016/S1361-3723(14)70532-9 [16] A.Brunnert, S.Eicker, P. M. Schuler, MANAGING SECURE SYSTEM ARCHITECTURES FOR MOBILE ENTERPRISE APPLICATIONS, IADIS International Conference Applied Computing, September 2011, pp.131-138.